The present invention relates to systems and methods for protecting a computer against a virus or a worm.
With the widespread use of computers and computer networks such as the Internet, computer viruses have become problematic to computers and computer users. Such viruses are typically found within computer programs, files, or code and can produce unintended and sometimes damaging results. These viruses can be transmitted by disk, electronic mail (e-mail), radio wave, light wave, or other computer readable media. For example, emails transmit electronic messages from one computer to another. These messages may be simple text messages or more complex messages containing documents and data of various types. The transmission of e-mail messages may range from transmission over a short distance, such as over a local area network between employees in adjoining offices, to transmission over extremely long distances, such as over the global Internet between users on different continents. The global nature of emails makes them easy carriers for viruses.
One type of virus produces copies of it in other programs, allows the programs to perform their regular operations, and surreptitiously performs other, unintended actions. Other types of viruses include, without limitation, the following: worms, logic bombs, time bombs, trojan horses, and any malicious program or code residing in executable programs, macros, applets, or elsewhere. While advances have been made in the detection of viruses, the proliferation of computers and the increasing interconnection of, and communication between, computers have also increased the opportunities for the spread of existing viruses and the development of new computer viruses. Thus, the number and type of viruses to which a computer or computer system is potentially exposed is ever changing. This is one reason that the information used to detect viruses requires seemingly constant revision and augmentation in order to detect the various strains of viruses. For example, a virulent virus that first appeared in September 2001 is Nimda (a.k.a. W32/Nimda@MM or Code Rainbow), a worm that attacks Microsoft Windows systems. Nimda attacks a variety of both server and client vulnerabilities and even the back doors left by Code Red II. Nimda can attack via email. It uses the Internet Explorer exploit mentioned in MS01-020 to cause Outlook to automatically execute the worm on a users system. Nimda can attack via web browser. If a user visits an infected web server and does not have patch MS01-020 applied their machine can be infected. Nimda can attack using holes opened by previous worms. Code Red II opened a variety of holes in system, presumably for use by nefarious individuals to control the target machine. Nimda looks for these holes. If they are present it uses them to install itself on the machines in question. Web servers are attacked using a wide variety of previously known and patched holes. If Nimda detects the presence of file shares on a remote machine and it has access rights it will infect the machine through those shared files.
As another example, Melissa is a computer virus launched when a user opens an infected Microsoft Word 8 or Word 9 document contained in Microsoft's Office suite of software products. The virus prompts Microsoft's Outlook e-mail program to send an infected document to addresses in a victim's Microsoft Outlook address book. The e-mail can appear to be from a boss, co-worker, or friend. Even if the user doesn't use Outlook, the virus can infiltrate the default Word document template “Normal.dot” and send the virus to anyone receiving their Word documents. The virus also attacks the registry for Word and changes security settings that prevent the Word macro warning from appearing. The original virus is sent via e-mail with the subject line “Important Message From . . . ” and then automatically fills in the user's name. The text inside the message reads “Here is the document that you asked for. Don't show anyone else ;-).” The message includes an attached document of pornographic Web sites called “list.doc.”
There are various methods for detecting viruses. One method of detection is to compare known virus signatures to targeted files to determine whether the targeted files include a virus signature and, thus, the corresponding virus. The comparison data used for virus detection might include a set of such known virus signatures and, possibly, additional data for virus detection. Typically, the comparison data is maintained in a computer storage medium for access and use in the detection of viruses. For example, for a personal computer the comparison data might be stored on the computer's hard disk. Periodically, comparison data updates are provided to detect new or different forms of viruses. The comparison data updates are typically provided on some source storage medium for transfer to the storage medium used to maintain the comparison data. For example, an update might be provided on a floppy disk so that a personal computer user can transfer the comparison data update from the floppy disk to the computer hard disk to complete the update.
The comparison data is essentially discrete and static. That is, all of the information used for the detection of viruses generally remains constant unless it is updated or altered by the user or other relevant party or action. This can be problematic because the quality of information used to detect viruses is reliant upon some form of comparison data maintenance. Another problem with updatable comparison data is that the comparison data can quickly lose its efficacy due to the existence of new and different viruses. Thus, while a periodic update might seem effective, there is no telling how many new and different viruses could be produced in the interim. Still another problem with comparison data updates is that a transfer of an entire replacement set of data, or at least a transfer of all the new virus detection data, is typically undertaken in order to complete the update. Whether an entire replacement or all of the new virus detection data is involved, a significant amount of data must be transferred for the update. More specifically, if a user updates her virus detection information using, for example, an update provided on a floppy disk, at least all of the new virus detection information is transferred from the floppy disk to the appropriate medium.
Regardless of the update source, the problems of updatable comparison data remain. Specifically, the user, administrator, or other relevant party is still typically responsible for accessing and updating the comparison data, the comparison data can quickly and unpredictably lose its efficacy, and a significant amount of data must be transferred from the source to the storage medium used for the comparison data. Indeed, the amount of data to be transferred may be more problematic where internet resources are the source of the comparison data update since a significant amount of computational resources would be used to complete the update.
Another problem in the detection of viruses is that conditions vary from computer to computer. Thus, a first computer or medium could require a first type of scanning while another computer or medium, even one in the same network as the first, could require a second type of scanning. In these instances, virus scans can be overinclusive in that the scanning for viruses that could not possibly reside at the computer, and can be underinclusive if an exhaustive scan for the types of viruses likely to reside at the computer, based upon the conditions presented at the computer, is not undertaken. To adequately perform a virus scan according to the conditions particular to a computer, a user or other relevant party typically must configure the scan. This can be problematic because of reliance upon party input. Additionally, the conditions pertaining to a particular computer and the requisite type of scanning can change.
With the increasing interconnection and communication between computers, the requirements for maintaining computers residing on a computer network have also increased. Again, maintenance is typically undertaken directly by a person, such as the network administrator, using resources which are locally available to the network administrator. For example, in the treatment of computers on a local area network for viruses, an administrator could commonly configure the computers to access locally available virus scanning resources. This maintenance scheme is problematic in its reliance upon updates, its failure to adapt to changing conditions, and its failure to make adequate use of resources external to the local area network. Today, popular operating systems and software such as the Microsoft system and application is tied into company network and the Internet. Since many features and automation are built in the system, when a virus infected email is received by Microsoft's Outlook application, the virus can leverage windows system resource to attack. The virus abuse user's system and Outlook address book to spread itself and to impact other system connected to the Internet. The global nature of the Internet means that one virus email can create a large amount of network traffic that jams the server that the user connects to as well as the Internet. Such virus can be destructive and can cause lost business due to computer downtime.